netlify.toml

[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block; report=https://jloh.report-uri.com/r/d/xss/enforce"
    X-Content-Type-Options = "nosniff"
    X-GitHub = "jloh/app.geojs.io"
    X-Made-By = "@itsjloh"
    Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
    Referrer-Policy = "no-referrer-when-downgrade"
    # CSP Policy
    # Report only
    # Note: Report only policy doesn't have 'upgrade-insecure-requests' as this does nothing in report-only
    ##Content-Security-Policy-Report-Only = '''
    ##default-src 'none' ;
    ##script-src 'self' maxcdn.bootstrapcdn.com code.jquery.com cdnjs.cloudflare.com get.geojs.io;
    ##style-src 'self' maxcdn.bootstrapcdn.com;
    ##img-src 'self' data: ;
    ##font-src 'none' ;
    ##form-action 'self' ;
    ##block-all-mixed-content;
    ##report-uri https://jloh.report-uri.com/r/d/csp/reportOnly;'''
    # Live rules -  be careful!
    Content-Security-Policy = '''
    default-src 'none';
    script-src 'self' get.geojs.io cdn.simpleanalytics.io sa.geojs.io;
    style-src 'self';
    img-src 'self' data: api.simpleanalytics.io sa.geojs.io;
    connect-src api.simpleanalytics.io sa.geojs.io;
    font-src 'none';
    form-action 'self';
    upgrade-insecure-requests;
    block-all-mixed-content;
    report-uri https://jloh.report-uri.com/r/d/csp/enforce;'''

[build]
  command = "yarn build"
  publish = "build"